叉烧,F100和U200野蛮模式建立ipsec失败
问题描述:
U
*Oct 26 09:18:59:474
*Oct 26 09:18:59:474
*Oct 26 09:18:59:475
*Oct 26 09:18:59:475
昨天搞了一天了,大佬们能不能帮忙找下问题
组网及组网描述:
这里是两边的配置
<u
#
version 5.
#
sysname u
#
l2tp enable
#
undo voice vlan mac-address 00e0-bb00-0000
#
ike local-name u
#
ip pool 1 192.168.0.2 192.168.0.254
#
domain default enable system
#
telnet server enable
#
acl number
rule 0 permit
#
acl number 3000
rule 0 permit tcp source 0.0.0.2 255.255.255.252 destination 192.168.0.11 0
acl number 3001
rule 10 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3002
rule 5 deny ip source 192.168.0.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 10 permit ip
#
vlan 1
#
domain system
authentication ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 172.16.1.2 172.16.1.254
#
pki domain default
crl check disable
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike peer 1
exchange-mode aggressive
pre-shared-key simple jmsx@123
remote-name f100
local-address 2
nat traversal
#
ipsec proposal 1
esp encryption-algorithm 3des
#
ipsec policy 1 1 isakmp
security acl 3001
ike-peer 1
proposal 1
#
user-group system
#
local-user admin
password cipher \@9>C=-:@@KQ=^Q`MAF4<1!!
authorization-attribute level 3
service-type telnet
local-user user1
password cipher 0`FUW8DO]`3Q=^Q`MAF4<1!!
authorization-attribute level 3
service-type ppp
local-user usera
password simple usera
service-type ppp
local-user works
password simple gmwork
service-type ppp
#
l2tp-group 1
mandatory-lcp
allow l2tp virtual-template 1
tunnel name LNS
#
interface Virtual-Template1
ppp authentication-mode chap domain system
remote address pool 1
ip address 172.16.1.1 255.255.255.0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet0/1
port link-mode route
ip address 192.168.0.1 255.255.255.0
#
interface GigabitEthernet0/2
port link-mode route
ip address 192.168.10.1 255.255.255.0
#
interface GigabitEthernet0/3
port link-mode route
#
interface GigabitEthernet0/4
port link-mode route
nat outbound 3002
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol udp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol udp global 2
nat server protocol tcp global 2
nat server protocol udp global 2
nat server protocol udp global 2
nat server protocol tcp global 2
nat server protocol tcp global 2
nat server protocol udp global 2
nat server protocol tcp global 2
nat server protocol udp global 2
nat server protocol tcp global 2
ip address 2
ipsec policy 1
#
ip route-static 0.0.0.0 0.0.0.0 2
ip route-static 192.168.0.0 255.255.255.0 GigabitEthernet0/1 172.16.1.22
#
nat static 192.168.0.0 2
#
load xml-configuration
#
load tr069-configuration
#
user-interface con 0
user-interface vty 0 4
authentication-mode scheme
#
return
最佳答案
到底是第几阶段没起来,防火墙上debug IPsec信息呢
暂无
<f100>dis cu
#
version 7.1.064, Release 9510P06
#
sysname f100
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
security-zone intra-zone default permit
#
dialer-group 1 rule ip permit
#
dhcp enable
dhcp server forbidden-ip 192.168.1.1 192.168.1.99
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool 1
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.1.1
forbidden-ip 192.168.1.99
#
interface Dialer1
mtu 1450
ppp chap password cipher $c$3$GUfeJHWJOvC0i1EDaZJEIuHWXv8L0Y5FOA==
ppp chap user pppoe_jiemsx804
ppp pap local-user pppoe_jiemsx804 password cipher $c$3$p/ZkZlMM71C11g/YnO2z60atYn6kpKdaPA==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
ip address ppp-negotiate
tcp mss 1024
nat outbound 3002
ipsec apply policy 1
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description waiwang
combo enable copper
pppoe-client dial-bundle-number 1
ipsec apply policy 1
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
import interface GigabitEthernet1/0/3 vlan 1
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer1
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source DMZ destination Local
packet-filter 3000
#
zone-pair security source DMZ destination Trust
packet-filter 3000
#
zone-pair security source DMZ destination Untrust
packet-filter 3000
#
zone-pair security source Local destination DMZ
packet-filter 3000
#
zone-pair security source Local destination Trust
packet-filter 3000
#
zone-pair security source Local destination Untrust
packet-filter 3000
#
zone-pair security source Trust destination DMZ
packet-filter 3000
#
zone-pair security source Trust destination Local
packet-filter 3000
#
zone-pair security source Trust destination Untrust
packet-filter 3000
#
zone-pair security source Untrust destination DMZ
packet-filter 3000
#
zone-pair security source Untrust destination Local
packet-filter 3000
#
zone-pair security source Untrust destination Trust
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer1
#
ssh server enable
#
acl advanced 3000
rule 10 permit ip
#
acl advanced 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
#
acl advanced 3002
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 10 permit ip
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$qlSd6v6XTza3GBaJ$WAwvyKZynjIAlckEmm3vJ481VMU2kMQHgf6MQo+OLBV6lAL8ps2PduIYwZ+NyTOvWmKP9rQoIL02bM+IchkiqA==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template 1 1
transform-set 1
security acl 3001
remote-address 2
ike-profile 1
#
ipsec policy 1 1 isakmp template 1
#
ike identity fqdn f100
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn f100
match remote identity address 0.0.0.0 0.0.0.0
match local address Dialer1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 1
match local address Dialer1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$q+ioTTx4SmUhuzn7Ge5Qt5OxMdmsVgxs836J
#
ip https enable
#
return<f100>dis cu
#
version 7.1.064, Release 9510P06
#
sysname f100
#
context Admin id 1
#
irf mac-address persistent timer
irf auto-update enable
undo irf link-delay
irf member 1 priority 1
#
security-zone intra-zone default permit
#
dialer-group 1 rule ip permit
#
dhcp enable
dhcp server forbidden-ip 192.168.1.1 192.168.1.99
#
password-recovery enable
#
vlan 1
#
dhcp server ip-pool 1
gateway-list 192.168.1.1
network 192.168.1.0 mask 255.255.255.0
dns-list 114.114.114.114
forbidden-ip 192.168.1.1
forbidden-ip 192.168.1.99
#
interface Dialer1
mtu 1450
ppp chap password cipher $c$3$GUfeJHWJOvC0i1EDaZJEIuHWXv8L0Y5FOA==
ppp chap user pppoe_jiemsx804
ppp pap local-user pppoe_jiemsx804 password cipher $c$3$p/ZkZlMM71C11g/YnO2z60atYn6kpKdaPA==
dialer bundle enable
dialer-group 1
dialer timer idle 0
dialer timer autodial 60
ip address ppp-negotiate
tcp mss 1024
nat outbound 3002
ipsec apply policy 1
#
interface NULL0
#
interface Vlan-interface1
ip address 192.168.1.1 255.255.255.0
nat hairpin enable
#
interface GigabitEthernet1/0/0
port link-mode route
combo enable copper
ip address 192.168.100.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port link-mode route
description waiwang
combo enable copper
pppoe-client dial-bundle-number 1
ipsec apply policy 1
#
interface GigabitEthernet1/0/2
port link-mode route
#
interface GigabitEthernet1/0/4
port link-mode route
#
interface GigabitEthernet1/0/5
port link-mode route
#
interface GigabitEthernet1/0/6
port link-mode route
#
interface GigabitEthernet1/0/7
port link-mode route
#
interface GigabitEthernet1/0/8
port link-mode route
#
interface GigabitEthernet1/0/9
port link-mode route
#
interface GigabitEthernet1/0/10
port link-mode route
#
interface GigabitEthernet1/0/11
port link-mode route
#
interface GigabitEthernet1/0/3
port link-mode bridge
#
security-zone name Local
#
security-zone name Trust
import interface Vlan-interface1
import interface GigabitEthernet1/0/3 vlan 1
#
security-zone name DMZ
#
security-zone name Untrust
import interface Dialer1
import interface GigabitEthernet1/0/1
#
security-zone name Management
import interface GigabitEthernet1/0/0
import interface GigabitEthernet1/0/2
#
zone-pair security source DMZ destination Local
packet-filter 3000
#
zone-pair security source DMZ destination Trust
packet-filter 3000
#
zone-pair security source DMZ destination Untrust
packet-filter 3000
#
zone-pair security source Local destination DMZ
packet-filter 3000
#
zone-pair security source Local destination Trust
packet-filter 3000
#
zone-pair security source Local destination Untrust
packet-filter 3000
#
zone-pair security source Trust destination DMZ
packet-filter 3000
#
zone-pair security source Trust destination Local
packet-filter 3000
#
zone-pair security source Trust destination Untrust
packet-filter 3000
#
zone-pair security source Untrust destination DMZ
packet-filter 3000
#
zone-pair security source Untrust destination Local
packet-filter 3000
#
zone-pair security source Untrust destination Trust
packet-filter 3000
#
scheduler logfile size 16
#
line class aux
user-role network-operator
#
line class console
user-role network-admin
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line con 0
authentication-mode scheme
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-admin
#
ip route-static 0.0.0.0 0 Dialer1
#
ssh server enable
#
acl advanced 3000
rule 10 permit ip
#
acl advanced 3001
rule 10 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
#
acl advanced 3002
rule 5 deny ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.255
rule 10 permit ip
#
domain system
#
aaa session-limit ftp 16
aaa session-limit telnet 16
aaa session-limit ssh 16
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user admin class manage
password hash $h$6$qlSd6v6XTza3GBaJ$WAwvyKZynjIAlckEmm3vJ481VMU2kMQHgf6MQo+OLBV6lAL8ps2PduIYwZ+NyTOvWmKP9rQoIL02bM+IchkiqA==
service-type ssh terminal https
authorization-attribute user-role level-3
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
#
ipsec policy-template 1 1
transform-set 1
security acl 3001
remote-address 2
ike-profile 1
#
ipsec policy 1 1 isakmp template 1
#
ike identity fqdn f100
#
ike profile 1
keychain 1
exchange-mode aggressive
local-identity fqdn f100
match remote identity address 0.0.0.0 0.0.0.0
match local address Dialer1
proposal 1
#
ike proposal 1
encryption-algorithm 3des-cbc
dh group2
authentication-algorithm md5
#
ike keychain 1
match local address Dialer1
pre-shared-key address 0.0.0.0 0.0.0.0 key cipher $c$3$q+ioTTx4SmUhuzn7Ge5Qt5OxMdmsVgxs836J
#
ip https enable
#
return
暂无
你正在,F100和U200野蛮模式建立ipsec失败
